Welcome to the Perishable Press “Blacklist Candidate” series. In this post, we continue our new tradition of exposing, humiliating and banishing spammers, crackers and other worthless scumbags..

Since the implementation of my 2G Blacklist, I have enjoyed a significant decrease in the overall number and variety of site attacks. In fact, I had to time-travel back to March 1st just to find a candidate worthy of this month’s blacklist spotlight. I felt like Rod Roddy looking over the Price-is-Right audience to announce the next name only to discover a quiet, empty room. And then like Bob gets pissed that nobody showed up and begins to bark and snarl at Rod to go across the street to the clam store and find some damn contestants. Or, ..um, something like that. Needless to say, this month’s data isn’t as fresh as I would have liked it, but I think you’ll find the information fascinating nonetheless. So let’s get on with it then:

Blacklist Candidate number 2008-04-27, come on down! You’re the next clam-store loser to get blacklisted from the site!

Synopsis

The breakdown: On March 1st, 2008, Perishable Press was attacked over 70 times from a single IP address. The attacks targeted well-known, indexed URLs by appending an apparently random selection of character strings. None of the attacks penetrated server/site defenses, and the scumbag was eventually blocked several days later after a routine access/error log investigation. The perpetrator (as identified via IP address) has not returned to the site since the initial attack.

Discussion

All attacks associated with this month’s blacklist candidate began on March 1st 2008, 02:45pm and continued until March 1st 2008, 03:39pm, as recorded in the site’s access/error logs. This is equivalent to around 54 minutes, during which time approximately 72 individual attacks were executed. This gives a rate of attack of about 1 attack every 45 seconds. Given that the attacks originated from a single, localized IP address, the rate of attack suggests that the process was not automated, but rather manually deployed.

Each attack within the series targeted fewer than twenty-five well-known, search-engine-indexed URLs from the perishablepress.com domain. Here are a few URL examples, taken directly from the associated access log:

Each of these URLs was appended with an apparently random assortment of character strings, including file names, JavaScript code, and PHP snippets. Here are a few examples of these “attack strings”, also taken from the access log:

Further, each of the attacks occurred using the site’s default theme 1. No referral information is associated with any of the attack data. Here is a log excerpt demonstrating the attributes outlined in the previous discussion:

Humilation and Banishment

So, let’s summarize this pathetic clam-store wannabe. We have a single IP address registered in Amsterdam through the infamous RIPE network. Equipped with a whopping three differently identified user agents, our Blacklist Candidate for April targets a list of known URLs with an amateurish collection of piddly-wink attack strings that are simply “tacked on” to the targeted addresses. Then, as if this weren’t utterly sad enough by itself, consider that the average attack time is 45 seconds per hit. Like, you can just imagine ‘ol numbnuts sitting there, counting on his fingers, typing in the browser’s address bar and mumbling out loud:

Duh, let’s see here, first you type the address, then you add the domain name.. um, no wait a minute.. first the address and then the secret code.. okay, um, now let’s see, what next.. oh yeah, hit the “enter” button..

Needless to say, idiots like this month’s Blacklist Candidate deserve to be exposed, humiliated, and ultimately banished. After all, even though the cracker shows zero signs of intelligence, the attacks were indeeddeliberate and obviouslyhostile. Thus, I rest my case. Let’s blacklist this scumbag! :)

Blacklist via htaccess:

To blacklist this fool by IP via htaccess, copy & paste this code into your root htaccess file (click here for more information on this method):

As a matter of fact, I am working on it this very moment. Just as I was checking my site for proper functionality (I still test on this domain), I happened to notice your comment and well, there you go. I am hoping to have something by this time next week, possibly a little longer. But let me tell you, the new 3G blacklist is shaping up very well! ;) Stay tuned!

Hi, it was interesting to read your post. Today I have found 391 occurrences of an attack similar to yours, where almost every URL from our site has been gone through with about half having “this.options%5Bthis.selectedIndex%5D.value” appended at the end of URL. The IP address was a single IP address 83.43.215.17 and it used several user agents as in your case.

The attack lasted just under 10 minutes, which led me to believe it could have been automated,also because of the way the URLs have been jumped from one to another (e.g. two URLs from different part of site hierarchy being accessed within the same second, which is near impossible by typing or cutting/pasting URLs).

Fortunately, our site is well protected and no harm done, but thought you should add the above IP to your blacklist.

Projects

About the site

Perishable Press is the work of Jeff Starr, professional developer, designer, author, and publisher with over 10 years of experience.
Check out some of Jeff's books and projects, follow on Twitter, or learn more »

Fun fact: Perishable Press has been online since 2005, and features over 800 articles and more than 11,000 comments. More stats »